Hey Community -
Wondering if anyone has come up with a good way to automate an alert / alarm when there is an issue with a Firewall reporting to a DLC (distributed log collector)? We have about 27 firewalls all of which send to 1 of 4 log collectors, and we are seeing an increase of Log Forwarding issues --> Some sending only Denies (when all rules are set to forward logs), Some not sending Any... The fix for this is to restart the Log Forwarding process on each device, but this can be very time consuming to check each of the 27 devices to make sure we're getting the logs we expect to get, and then restart the process if necessary. We are relying on the logs in the DLC's for PCI compliance, and to date, Palo Alto Support claims there is no way to get notified if a Firewall stops sending logs to a log forwarder. I would love to hear anything creative anyone else has done to help alleviate this headache...?
I don't have a specific answer. But if your logging platform supports some kind of dashboard page you could setup a graph for the log volume per time period on each firewall. When the graph drops below normal you would see the problem.
Thanks Steven Puluka, the problem is though, that our logging platform is Panorama. Panorama doesn't offer any of those features. It seems so ridiculous that a system that is specifically designed (M-100) to be a Log Collector, doesn't have a way to notify its admins when it's not actually collecting logs from a device that it was previously collecting logs from.
I feel your pain. We use a third party log collector for long term archives and forward directly for the PAN firewalls via syslog. this has consistently worked even when Panorama logging stops collecting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!